yuzu-emu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2024-11-25 20:45:37 +01:00
Code Issues Packages Projects Releases Wiki Activity

Added function preparing for faster multiplication

Browse Source
This commit is contained in:
Manuel Pégourié-Gonnard 2012-11-17 19:54:20 +01:00 committed by Paul Bakker
parent b4a310b472
commit 855560758c
2 changed files with 126 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
include/polarssl/ecp.h
View File

@ -97,6 +97,18 @@ ecp_group;
#define POLARSSL_ECP_DP_SECP384R1 3 #define POLARSSL_ECP_DP_SECP384R1 3
#define POLARSSL_ECP_DP_SECP521R1 4 #define POLARSSL_ECP_DP_SECP521R1 4
/*
* Maximum NAF width used for point multipliation. Default: 7.
* Minimum value: 2. Maximum value: 8.
*
* Result is an array of at most ( 1 << ( POLARSSL_ECP_NAF_WIDTH - 1 ) )
* points used for point multiplication, so at most 64 by default.
* In practice, most curves will use less precomputed points.
*
* Reduction in size may reduce speed for big curves.
*/
#define POLARSSL_ECP_NAF_WIDTH 7 /**< Maximum NAF width used. */
#ifdef __cplusplus #ifdef __cplusplus
extern "C" { extern "C" {
#endif #endif

115
library/ecp.c
View File

@ -700,6 +700,70 @@ cleanup:
return( ret ); return( ret );
} }
/*
* Compute a modified width-w non-adjacent form (NAF) of a number,
* with a fixed pattern for resistance to SPA/timing attacks,
* see <http://rd.springer.com/chapter/10.1007/3-540-36563-X_23>.
* (The resulting multiplication algorithm can also been seen as a
* modification of 2^w-ary multiplication, with signed coefficients,
* all of them odd.)
*
* Input:
* m must be an odd positive mpi less than w * k bits long
* x must be an array of k elements
* w must be less than a certain maximum (currently 8)
*
* The result is a sequence x[0], ..., x[k-1] with x[i] in the range
* - 2^(width - 1) .. 2^(width - 1) - 1 such that
* m = (2 * x[0] + 1) + 2^width * (2 * x[1] + 1) + ...
* + 2^((k-1) * width) * (2 * x[k-1] + 1)
*
* Compared to "Algorithm SPA-resistant Width-w NAF with Odd Scalar"
* p. 335 of the cited reference, here we return only u, not d_w since
* it is known that the other d_w[j] will be 0. Moreover, the returned
* string doesn't actually store u_i but x_i = u_i / 2 since it is known
* that u_i is odd. Also, since we always select a positive value for d
* mod 2^w, we don't need to check the sign of u[i-1] when the reference
* does. Finally, there is an off-by-one error in the reference: the
* last index should be k-1, not k.
*/
static int ecp_w_naf_fixed( signed char x[], size_t k, unsigned char w,
const mpi *m )
{
int ret;
unsigned int i, u, mask, carry;
mpi M;
mpi_init( &M );
MPI_CHK( mpi_copy( &M, m ) );
mask = ( 1 << w ) - 1;
carry = 1 << ( w - 1 );
for( i = 0; i < k; i++ )
{
u = M.p[0] & mask;
if( ( u & 1 ) == 0 && i > 0 )
x[i - 1] -= carry;
x[i] = u >> 1;
mpi_shift_r( &M, w );
}
/*
* We should have consumed all the bits now
*/
if( mpi_cmp_int( &M, 0 ) != 0 )
ret = POLARSSL_ERR_ECP_GENERIC;
cleanup:
mpi_free( &M );
return( ret );
}
/* /*
* Integer multiplication: R = m * P (GECC 5.7, SPA-resistant) * Integer multiplication: R = m * P (GECC 5.7, SPA-resistant)
*/ */
@ -756,6 +820,7 @@ int ecp_self_test( int verbose )
{ {
int ret; int ret;
size_t i; size_t i;
int j, jj;
ecp_group grp; ecp_group grp;
ecp_point R; ecp_point R;
mpi m; mpi m;
@ -766,13 +831,61 @@ int ecp_self_test( int verbose )
"7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", "7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
"555555555555555555555555555555555555555555555555", "555555555555555555555555555555555555555555555555",
"5EA6F389A38B8BC81E767753B15AA5569E1782E30ABE7D25", "5EA6F389A38B8BC81E767753B15AA5569E1782E30ABE7D25",
"000000000000000000000000000000000000000000000010", /* "000000000000000000000000000000000000000000000010", TODO */
}; };
signed char x[3];
ecp_group_init( &grp ); ecp_group_init( &grp );
ecp_point_init( &R ); ecp_point_init( &R );
mpi_init( &m ); mpi_init( &m );
if( verbose != 0 )
printf( " ECP test #0 (naf): " );
for( j = 1; j < 32; j += 2 )
{
mpi_lset( &m, j );
x[0] = x[1] = x[2] = 0;
MPI_CHK( ecp_w_naf_fixed( x, 3, 2, &m ) );
jj = ( 2 * x[0] + 1 ) + 4 * ( 2 * x[1] + 1 ) + 16 * ( 2 * x[2] + 1 );
if( j != jj ||
x[0] > 1 || x[0] < -2 ||
x[1] > 1 || x[1] < -2 ||
x[2] > 1 || x[2] < -2 )
{
if( verbose != 0 )
printf( "failed\n" );
printf( "%i != %i (%i, %i, %i)\n", j, jj, x[0], x[1], x[2] );
ret = 1;
goto cleanup;
}
x[0] = x[1] = x[2] = 0;
MPI_CHK( ecp_w_naf_fixed( x, 2, 3, &m ) );
jj = ( 2 * x[0] + 1 ) + 8 * ( 2 * x[1] + 1 );
if( j != jj ||
x[0] > 3 || x[0] < -4 ||
x[1] > 3 || x[1] < -4 ||
x[2] != 0 )
{
if( verbose != 0 )
printf( "failed\n" );
printf( "%i != %i (%i, %i)\n", j, jj, x[0], x[1] );
ret = 1;
goto cleanup;
}
}
if( verbose != 0 )
printf( "passed\n" );
MPI_CHK( ecp_use_known_dp( &grp, POLARSSL_ECP_DP_SECP192R1 ) ); MPI_CHK( ecp_use_known_dp( &grp, POLARSSL_ECP_DP_SECP192R1 ) );
if( verbose != 0 ) if( verbose != 0 )